[libsoup] Don't do SSLv3 fallback if TLS fails
- From: Dan Winship <danw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libsoup] Don't do SSLv3 fallback if TLS fails
- Date: Tue, 3 May 2016 18:12:56 +0000 (UTC)
commit 205342c243ae68e3f96b6cee2a280c302f6bbc8d
Author: Dan Winship <danw gnome org>
Date: Tue May 3 14:11:35 2016 -0400
Don't do SSLv3 fallback if TLS fails
Firefox and Chrome have both removed support for this. Fix your
server!
(This is still supported by SoupSocket, since removing that would be
an API break, but SoupSession never makes use of the feature now.)
https://bugzilla.gnome.org/show_bug.cgi?id=765940
libsoup/soup-connection.c | 24 +-----------------------
libsoup/soup-connection.h | 3 ---
libsoup/soup-session.c | 20 +-------------------
3 files changed, 2 insertions(+), 45 deletions(-)
---
diff --git a/libsoup/soup-connection.c b/libsoup/soup-connection.c
index 77b1c8b..00fd4c3 100644
--- a/libsoup/soup-connection.c
+++ b/libsoup/soup-connection.c
@@ -19,7 +19,7 @@ typedef struct {
SoupSocketProperties *socket_props;
SoupURI *remote_uri, *proxy_uri;
- gboolean ssl, ssl_fallback;
+ gboolean ssl;
SoupMessage *current_msg;
SoupConnectionState state;
@@ -43,7 +43,6 @@ enum {
PROP_0,
PROP_REMOTE_URI,
- PROP_SSL_FALLBACK,
PROP_SOCKET_PROPERTIES,
PROP_STATE,
@@ -105,9 +104,6 @@ soup_connection_set_property (GObject *object, guint prop_id,
else
priv->ssl = FALSE;
break;
- case PROP_SSL_FALLBACK:
- priv->ssl_fallback = g_value_get_boolean (value);
- break;
case PROP_SOCKET_PROPERTIES:
priv->socket_props = g_value_dup_boxed (value);
break;
@@ -130,9 +126,6 @@ soup_connection_get_property (GObject *object, guint prop_id,
case PROP_REMOTE_URI:
g_value_set_boxed (value, priv->remote_uri);
break;
- case PROP_SSL_FALLBACK:
- g_value_set_boolean (value, priv->ssl_fallback);
- break;
case PROP_SOCKET_PROPERTIES:
g_value_set_boxed (value, priv->socket_props);
break;
@@ -187,13 +180,6 @@ soup_connection_class_init (SoupConnectionClass *connection_class)
SOUP_TYPE_URI,
G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
g_object_class_install_property (
- object_class, PROP_SSL_FALLBACK,
- g_param_spec_boolean (SOUP_CONNECTION_SSL_FALLBACK,
- "SSLv3 fallback",
- "Use SSLv3 instead of TLS",
- FALSE,
- G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
- g_object_class_install_property (
object_class, PROP_SOCKET_PROPERTIES,
g_param_spec_boxed (SOUP_CONNECTION_SOCKET_PROPERTIES,
"Socket properties",
@@ -412,7 +398,6 @@ soup_connection_connect_async (SoupConnection *conn,
priv->socket =
soup_socket_new (SOUP_SOCKET_REMOTE_ADDRESS, remote_addr,
- SOUP_SOCKET_SSL_FALLBACK, priv->ssl_fallback,
SOUP_SOCKET_SOCKET_PROPERTIES, priv->socket_props,
NULL);
g_object_unref (remote_addr);
@@ -460,7 +445,6 @@ soup_connection_connect_sync (SoupConnection *conn,
priv->socket =
soup_socket_new (SOUP_SOCKET_REMOTE_ADDRESS, remote_addr,
- SOUP_SOCKET_SSL_FALLBACK, priv->ssl_fallback,
SOUP_SOCKET_SOCKET_PROPERTIES, priv->socket_props,
SOUP_SOCKET_FLAG_NONBLOCKING, FALSE,
NULL);
@@ -695,12 +679,6 @@ soup_connection_get_ever_used (SoupConnection *conn)
return SOUP_CONNECTION_GET_PRIVATE (conn)->unused_timeout == 0;
}
-gboolean
-soup_connection_get_ssl_fallback (SoupConnection *conn)
-{
- return SOUP_CONNECTION_GET_PRIVATE (conn)->ssl_fallback;
-}
-
void
soup_connection_send_request (SoupConnection *conn,
SoupMessageQueueItem *item,
diff --git a/libsoup/soup-connection.h b/libsoup/soup-connection.h
index 8df6112..3da217f 100644
--- a/libsoup/soup-connection.h
+++ b/libsoup/soup-connection.h
@@ -36,7 +36,6 @@ GType soup_connection_get_type (void);
#define SOUP_CONNECTION_REMOTE_URI "remote-uri"
-#define SOUP_CONNECTION_SSL_FALLBACK "ssl-fallback"
#define SOUP_CONNECTION_SOCKET_PROPERTIES "socket-properties"
#define SOUP_CONNECTION_STATE "state"
@@ -80,8 +79,6 @@ void soup_connection_send_request (SoupConnection *conn,
SoupMessageCompletionFn completion_cb,
gpointer user_data);
-gboolean soup_connection_get_ssl_fallback (SoupConnection *conn);
-
G_END_DECLS
#endif /* SOUP_CONNECTION_H */
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index 9831172..0f02519 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -86,8 +86,6 @@ typedef struct {
guint num_messages;
- gboolean ssl_fallback;
-
GSource *keep_alive_src;
SoupSession *session;
} SoupSessionHost;
@@ -1431,9 +1429,6 @@ drop_connection (SoupSession *session, SoupSessionHost *host, SoupConnection *co
host);
host->keep_alive_src = g_source_ref (host->keep_alive_src);
}
-
- if (soup_connection_get_ssl_fallback (conn))
- host->ssl_fallback = TRUE;
}
g_signal_handlers_disconnect_by_func (conn, connection_disconnected, session);
@@ -1607,19 +1602,7 @@ status_from_connect_error (SoupMessageQueueItem *item, GError *error)
if (!error)
return SOUP_STATUS_OK;
- if (g_error_matches (error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS)) {
- SoupSessionPrivate *priv = SOUP_SESSION_GET_PRIVATE (item->session);
- SoupSessionHost *host;
-
- g_mutex_lock (&priv->conn_lock);
- host = get_host_for_message (item->session, item->msg);
- if (!host->ssl_fallback) {
- host->ssl_fallback = TRUE;
- status = SOUP_STATUS_TRY_AGAIN;
- } else
- status = SOUP_STATUS_SSL_FAILED;
- g_mutex_unlock (&priv->conn_lock);
- } else if (error->domain == G_TLS_ERROR)
+ if (error->domain == G_TLS_ERROR)
status = SOUP_STATUS_SSL_FAILED;
else if (error->domain == G_RESOLVER_ERROR)
status = SOUP_STATUS_CANT_RESOLVE;
@@ -1870,7 +1853,6 @@ get_connection_for_host (SoupSession *session,
ensure_socket_props (session);
conn = g_object_new (SOUP_TYPE_CONNECTION,
SOUP_CONNECTION_REMOTE_URI, host->uri,
- SOUP_CONNECTION_SSL_FALLBACK, host->ssl_fallback,
SOUP_CONNECTION_SOCKET_PROPERTIES, priv->socket_props,
NULL);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
